Illinois biometrics privacy law could be adopted by other states

Several states across the nation are looking to adopt Illinois’ biometrics privacy law as more organizations deploy biometric technology in various applications, and as the courts continue to figure out the potentially costly effects of the law’s mandates on businesses, according to a report by Cook County Record.

Illinois’ Biometric Information Privacy Act, which came into effect in 2008, established protocols which require organizations collecting biometric data to notify people about the practice before they begin to gather data, as well as provide an exact timeline for deleting the data.

“BIPA has been around for a few years and has been interpreted by several jurisdictions, including here in the Northern District of Illinois,” Julie Kadish, a privacy and data security attorney at Foley & Lardner, said. “States may be looking to Illinois as a model because (recent) court decisions may help provide some level of certainty and guidance as to how courts will interpret key provisions in the statute.”

Tech giants Facebook, Snapchat and Google have been battling BIPA-related litigation over the past couple years. In early April, a putative class of consumers said Google cannot stay proceedings to appeal parts of a federal judge’s recent refusal to dismiss claims that allege its face-mapping technology violates BIPA.

Five states are currently evaluating amendments to their biometric laws.

“Alaska, Montana and New Hampshire take a similar approach to BIPA and allow private causes of action,” Kadish said. “Connecticut’s bill takes a very different approach and aims to prohibit retailers from using facial recognition technology for marketing purposes. Washington has some similarities to BIPA and is also like Texas’ current biometric law, in that it can be enforced solely by the attorney general.”

Kadish said that the increasing use of biometric identifiers have resulted in other states scrambling to ensure that their local privacy laws align with the technology’s use.

Meanwhile, both privacy advocates and consumers are demanding more transparency regarding how the public’s biometric information is collected, used and stored.

The lack of federal laws has cleared the path for state-driven initiatives to take charge, with Illinois introducing three other privacy bills since January.

“Businesses need to ensure that they are collecting the information lawfully by using appropriate notice and consent mechanisms,” Kadish said. “(From) appropriate security procedures (to) being mindful of retention and disposal requirements, companies should adopt a ‘privacy by design’ approach and consider the implications of collecting and using biometric information in the initial phases of creating a product or service.”

Kadish said that since BIPA allows for a private cause of action, they should include a clause communicating this in their risk management analysis.

“It is unclear whether other states (will) adopt similar legislation, but we are seeing an uptick in states that care about biometric information,” Kadish said. “For example, several states (including Illinois) have amended their state data breach notification laws in recent years to include biometric information in the definition of ‘personally identifiable information.'”